I’ve spent a significant amount of time researching session expiration in Drupal.

It turns out that by default Drupal sessions a session of 23 days. You can configure the session to expire at a shorter interval and you can configure Drupal to expire the session when the browser closes.

In addition, there is a module called Session_Expire, which pushes the cleanup of the sessions table in the database to the core Drupal cron job instead of relying on PHP garbage collection of your particular operating system which can vary.

Here’s the details of what I changed in one Drupal 6 setup. There is a whole section on sessions which are stored in /sites/default/settings.php.